The former chief security officer of Uber Technologies was sentenced to probation by a federal court judge as punishment for his involvement in covering up a 2016 data breach that affected 57 million users.

Judge William Orrick on Thursday handed down the sentence of three years of probation to Joseph Sullivan in U.S. District Court for the Northern District of California. The judge also ordered Sullivan to perform 200 hours of community service, issued a $50,000 fine, and mandated Sullivan not be allowed to travel internationally until the fine is paid.

Sullivan was found guilty by a jury in October of two felony counts of obstruction of justice and misprision of felony (concealment). He had faced up to five years in prison on the obstruction charge and three years on the concealment charge, prosecutors said at the time.

Sullivan was charged in 2020 for allegedly paying $100,000 in 2016 to hackers who successfully breached Uber’s data on 57 million of its users and drivers. The database included the license numbers for approximately 600,000 people who drove for Uber, federal prosecutors said.

Prosecutors alleged Sullivan took deliberate steps to “conceal, deflect, and mislead” the Federal Trade Commission (FTC) regarding the breach. The FTC was investigating the circumstances of a 2014 breach at Uber when the 2016 breach occurred. Instead of reporting the fresh breach to the FTC, Sullivan conspired to cover it up, prosecutors alleged.

In 2017, Uber hired a new chief executive officer, Dara Khosrowshahi, who along with his management team launched an investigation into the facts surrounding the 2016 breach. Sullivan was fired following the results of the probe.

Prosecutors recommended Sullivan be sentenced to 15 months in federal prison and preemptively criticized the possibility of a sentence of probation in an April 27 sentencing memorandum.

“A sentence of probation in this case would tacitly affirm” the lies Sullivan told in his defense, prosecutors said, and would minimize his wrongful conduct as being inadvertent or a mistake. It would also “ratify the lie that this case represents some drastic change in standards applicable to the cybersecurity industry and the government’s desire to partner with the private sector, including victims, in countering cyber threats. That is simply not the case,” prosecutors said.

In his ruling, Judge Orrick cited the uniqueness of the case among factors he considered, noting future violators should not expect similar leniency.

“If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognizes that,” he said, according to the Wall Street Journal.

Sullivan’s attorney, David Angeli, did not respond to a request for comment. Uber also did not respond to a request for comment.

Aaron Nicodemus covers regulatory policy and compliance trends for Compliance Week. He previously worked as a reporter for Bloomberg Law and as business editor at the Telegram & Gazette in Worcester, Mass.

Topics